Description

Gogs has arbitrary file read/write via Path Traversal in Git hook editing

Vulnerability Description

In the endpoint:

/username/reponame/settings/hooks/git/:name

the :name parameter:

Is URL-decoded by macaron routing, allowing decoded slashes (/)

Is then passed directly to:

git.Repository.Hook("custom_hooks", name)

which internally resolves the path as:

filepath.Join(repoPath, "custom_hooks", name)

Because no path sanitization is applied, supplying ../ sequences allows access to arbitrary paths outside the repository.

As a Result:

GET: Arbitrary file contents are displayed in the hook edit page textarea (Local File Inclusion).

POST: Existing files can be overwritten with attacker-controlled content (Arbitrary File Write).

Attack Prerequisites

The attacker is an authenticated user

The attacker has Admin or higher privileges on the target repository

The attacker has the AllowGitHook permission (or is a site administrator)

The target file is readable/writable by the Gogs process OS permissions

Attack Scenario

An attacker (with AllowGitHook + repository Admin privileges) accesses the Git hook edit URL

A path containing ../ is supplied in :name, fully URL-encoded using %2f

The server resolves custom_hooks/../../... without validation

Arbitrary file contents are displayed and existing files can be overwritten

Potential Impact

Sensitive information disclosure: app.ini, databases, logs, environment variables, etc.

Configuration or data tampering: Overwriting existing files

Secondary impact: Extraction of SECRET_KEY and database credentials may allow token forging or further compromise

Mitigation

Aliases

References